HIPAA / HITECH – For our Cloud products, we are not able to sign a Business Associate agreement and we recommend our Server products for companies that need to comply. We have more information on this in our Privacy Policy.

PCI – Atlassian uses tokens with PCI DSS certified credit card processors; we never see or store your credit card details. For use of our products within PCI environments you need to assess in terms of your own PCI compliance requirements.

Will Atlassian share information on your internal controls?

We have put a great deal of work into something we call our Atlassian Control Framework (ACF), which combines the controls from external regulatory requirements and industry standards. We utilize this framework to implement controls internally and use external companies to evaluate and validate the implementation and operation of our controls. You can view the status of any of our certifications or reports on our Compliance page.

Where can I find Atlassian's security and technology policies?

We have put a lot of work into building out an internal Policy Central inside our own Confluence. All of our policies have a similar format and structure, defined owners, and committed review cycles. You can read through the tl;dr for each of our internal Technology Domain policies.

Has Atlassian defined responsibilities for cloud security and cloud operations?

We have published a whitepaper outlining the responsibilities that we manage, and the responsibilities that each of our customers should manage. We've written it with our customers in mind, and we've detailed the particular security topics that each customer should manage. Read through the whitepaper.

Who has access to our data?

Is data stored on Atlassian cloud products encrypted?

Atlassian encrypts customer data in transit and at rest.

All customer data stored within Atlassian cloud products and services is encrypted in transit over public networks using Transport Layer Security (TLS) 1.2+ with Perfect Forward Secrecy (PFS) to protect it from unauthorized disclosure or modification.

Can review Atlassian's testing reports?

Any security vulnerabilities identified in the reports below are tracked in our internal Jira as they come through the Bug Bounty intake process and are closed according to the SLA timelines on our Security Bug Fix Policy.

Can we undertake our own security testing?

In line with our Terms of Use for our cloud products, we currently do not allow customer-initiated testing. We are committed to being open and will publish statistics from our bug bounty program once it is public.

Can you complete my security questionnaire?

We are committed to being open and transparent and sharing information. Part of this goal is to publish as much information as we can to enable you to be comfortable with your decision to use our products and services. We have compiled responses to some of the most frequent standard questionnaire types. If you have additional questions, let us know!

What is Atlassian's data privacy policy?

What responsibilities does Atlassian maintain during a security incident?

Here at Atlassian, we try our best to ensure our customers don't experience an outage or a security incident. However, we acknowledge that a security incident has the potential to happen. We have written down our responsibilities during a security incident and what our customers should plan to manage.